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The Email Address search allows you to search 
on: 



Full Email Address 

Do not search on/wildcard JUST the username, always 
include a specific domain 

Foreign-hosted domains (e.g. @cnc.cn) 

The query searches within bodies of emails, 
webpages and documents for.... (you guessed 
it). . . Email Addresses 

To, From, CC, BCC lines.. 

“Contact Us” pages on websites 
Signature blocks 
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Email Address 



Email Addresses are found in many parts o 




traffic 







DNI Display 


Raw Data 


DNI Format 






XKEYSCORE has picked 
up traffic with email 
addresses in it. 
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Email Address 



iioi uium 

S m inmi 



I lOr 




DNI Display R aw D ata D N I F o r m at 



RE: Malaysia Tax 




Date: Tue Jun 23 12:41:25 GMT 2009 

Attachments: ijll imaged 01 .jpg (1 2013 bytes') ; 



X-KEY5CORE C2C Session Viewer 




of It! 



Datetime 



Case Notation 



From IP 



2009-06-23 12:41:23 PRPA07550000000 198. 



To IP 



(= United States; 219 



From Port To Port 



Proto co Ler 



J. 



Malaysia) 



39247 25 



tcp 



48 £ 



Session 



Header (3) Attachments) Kleta (ID) 



attribute info.txt 



fingerpri nts.xml 



email addresses.t: 



tech.html 



application^. xml appproc.asdf xks_snippet.txt phone_number.html 



use inactivity. xml ip_lc_trie.txt 






email addresses.txt 



FORMATTER 



AUTO Y 




Usi no^yTfo matte i 




XKEYSCORE parses out everything it ‘thinks’ is 
an email address, so don’t be fooled by mis-hits 
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Enter usernames and domains into query 
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Creating Email Address Queries 






BE VERY CAREFUL of OR’ing domains 




Search: Email Addresses 



Query Name: 




Justification: 



agi in Iran sample 



When working with multiple 
domains, create separate 
Email Address queries for 
each. i.e. Group your 
queries by domain names. 



Additional Justification: 



Miranda Number; 




Datetime: 



1 Day 



Start: 



2009-06-23 



* 



00:00 



Stop: 2009 



Email Username 



badguy or b add u del or badguysemail 



©Domain; yahoo.com or hotmail.com 



Subject; 



Mulitiple domains means 
either badguy@yahoo.com 
or badguy@hotmail.com. 

Are both your targets? 
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Email Address 




Sample Search: baku@huawei.com 




Search: Email Addresses 



Query Name: 

Justification: 

Additional Justification: 

Miranda Number: 




Datetime: 



1 Week v 



Start: 



2009 - 06-17 



a 



00:00 



a 



St 



Email Username: 



baku 



pDomain: 



huawei.com 
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Email Address 




Email Addresses are found in many parts of 
traffic 




es; 



eni 



DNI Display Raw Data DNI Format 



± HTTP Header Information 



Content Type: HTTP/HTML 



Services -w 



Fnx: 0061-2-94118533 
Vienna, Austria 

Ezone Office Building, 4tli Floor Top 7, Emst- 
Melchior-Gasse 20. 1020 Vienna. Austria 

JJ2 1 Cu2i_l->— I -ft -I QlQQQQ 



Results here are from 
someone viewing a website 
that contained the email 
address 



B^krtjAz erb aij aiT 

Caspian Plaza Centre ,blodr54jQ-611, JJabbarlv St., Baki 
Azerbaijan, Azl065 
Tel: 0099412-510-5644/5744/584* 

Fax: 00 99412-510-5944 
E-mail: IWffMffffiHIBHI 



Bdnmi. Bain Ain 

Building 647, Road 2811Seef District 428Kingdom of Bahrain V illn NG.l, Mohamedia Garden, Gate NG.36,Road 
Tel: 00973-17568708 ’ No J431.Bloek No. 3 3 4, Bahrain 

Fax: 00973- 17 56S701 Tel: 00974-3443296/00973 -9580085 



Minsk, Belarus 



Dli Ak a ? B a cle sli 

EM Centere(2nd Floor) ,101, gulshan Avenue Gulshan Model Korolya str.,51, floor-2, office-28, Minsk, Belarus 

t ’ ll-. „-.1 nn Til- n on/icnm 
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collection (such as chat, webmail, etc) 

Allows more flexible search criteria than 
Email Address query 

Can search on: Cookies, numeric logins (e.g. 
web forums & OSN), VoIP selectors, webcam 
first images, Webmail profile information from 
registration (birthdays), general usernames 
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Creating User Activity Queries 



A# 







The fields in a User Activity query can be 
confusing 
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Creating User Activity Queries 



The fields in a User Activity query can be 
confusing 



If X. 



r jjfVTTJ 

XA/ 4J • 





Search For 



username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 



Search Value 




Attribute Type 



Attribute Value 



communicants 
contact Jist 

direction 



rom 

various _u$er 
aw metadata 




saifdes ziatl197 < 
a_salty a_t Jwe_me a? i 



seivei -to-client 



Notice partial email addresses in the 
“Search Value” field.. 




emailAddr 



yahoo 

emailAddr 




< 



c 



pyahoo 


/ appj>i wider YMSG 




_f- im ~f 
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Creating User Activity Queries 



A# 
















Scenario: 

You have a target’s email address 




h otmai I . co m 

Known: One email address 

Unknown: Alternate ID’s, IPs, Location, Photo, 
etc... (lots of stuff) 

Where do we begin? 
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I have an Email Address and want to see if it’s being collected? 

Do an Email Address query on username and domain 



Email Username: 



baku 



©Domain: 



huawei.com 



Do a User Activity query on the email address in the “Selector Value” 



Search Value: 



baku@huawe=i* 
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I have a Cookie and want to see what other accounts access this 
computer 

Do TWO separate User Activity query on the cookies 



1. 



Attribute Value: 


dg8q0od4u0li4 







Search For 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 

username 




|;d;yalioo 
m yahoo 
Idjyalioo 
|q]yahee 
[g^ahoo 
dg8q0od4u!Qli4 

bayal too 
[fryahoo 
l;d;yalioo 
teyahoo 
Idyalioo 




Attribi 



leoBcookie 
B_cookie 
B_coekie 
yah ooBco Okie 
ynliooBcookie 
B_cookie 
B_cookie 
B_cookie 
ynliooBcookie 
n Rcooki 
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Attribute Value 

dg8q0od4u0N4 

dg8q0od4u0N4 

dg8q0ad4u0N4 

ig8q0od4u0N4 

Ig8q0od4u0li4 

1g8q0ad4u0N4 

klg8q0od4n0li4 

dg8q0ad4u0N4 

dg8q0od4uflli4 

daBuflndjjiDM 



Brings back THESE 
results... 



b_c0o[ Notice redundancy.. So you MAY miss traffic 
if you select “B_cookie" or “yahooBcookie” 
(don’t know why) 






I have a Cookie and want to see what other accounts access this 
computer 

Do TWO separate User Activity query on the cookies 



2 . 



Search Value 



dgBq0od4uDli4 



username 

username 

username 

username 

username 

username 

username 

username 

username 



tlE|8t|QOTl4ll0l 
4 1 | Owl 4-U0 1 

tl£)8t|Oe<l4ll0l 

4l£|84|0O4l4ll0l 

<k|8<|OWI4llOI 
4ly84|Owl4u0l 
tl£)8t|0wl4ll0l 
4 1 £|S4 1 Owl 4ll0 1 
(lE|8t|QOfl4ll0l 



4 

4 

4 

4 

4 

4 

4 

4 

4 




yahoo 

yahoo 

yahoo 

yahoo 

yahoo 

yahoo 

yahoo 

yahoo 

yahoo 



Brings back THESE 
results... 



Search For 


Search Value 


Attribute Type 
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Notice redundancy.. So you MAY miss traffic 
if you select “B_cookie" or “yahooBcookie” 
(don’t know why) 






I have a Cookie and want to see what other accounts access this 
computer 

Do a Marina query on the cookie as well (why not)? 



Specify I>ate Range 

(YVVYMMDD [hhmaiss]): 



20090B14 




20D90B2Q 





<S 

Date 



for User Activitv bv... 

1 ST 

til fit... 
tlie value(s)... 



ut is reached, return 
where value is 



filter bv. 



St r o ri g S e I e ot o r s (E mads, IDs, Co o kies, \v\ ai I T o k e n s , Ph one 



exactly match 



dcj8 qCl o d4 u01i4<jahoobc o o k j_e > 



newest data 23 



? (100.000 raw metadata result limit) 




Add 



Options s O All O None ©■ Selec 

Queiy Justification (optional): 



iranian b cookie in esfahan 







Submit 




Beset Form 


Ol e si Form 
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I have a Cookie and want to see what other accounts access this 
computer 



Do a Marina query on the cookie as well (why not)? 



USER A 


ACTIVITY 


USER B 




COOKIE 





■<y;ihcc> seen with machine ID t(g8q0cKl4u0Li4<yahooBcoolde> (lg8q0otl4xi0h4<yahooBcookie> 
: yahoo> seen 'with machine ID c(g8q0od4u0h4<yahooBcoolde> dgS qO o d4u0]i4<y ahooBc o okie> 

: yahoo> seen with machine ID tlgSq0od4u0h4<yahooB c o olde> dgSqO a cl4ii0h4<y ahooBc ookie> 
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So let’s put the cookie query all together... 

Between Marina and XKS. I should have an idea of all the accounts 



Results pulling on dg8q0od4u0ii4 as a Search Value 



Search For 


Search Value 


Attribute Type 


username 


Kl[|8it|0Otl4ll0li4 


yahoo f 


username 


rl[|i8q0od4ii!0li4 


yahoo 



username tici8uQsfl4ii0li4 



raw metadata 



i^aii-oe 
I too 

<cto inmEve ntSumin arv> <ai}|iPrc 



Plus my Marina results 




ACTIVITY 



USER B 



COOKIE 



100 --’ 






en with machine ID dg8q0od4u0li4<yahooBeookie> dg8qQod4uQli4<yahooBcookie> 
seen with machine II) dg8 qO o d4u0li4<y al 10 oBc o olde > dg8q0od4u0ii4<yahooBcoolde> 
seen with maclune H) dg8q0od4u0li4<yahooBcoolde> dg8q0od4u0ii4<yaliooBcoolde> 



RESULTS: Three users on the a computer.. 
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I have an IP address and want to know what users/accounts are 
collected in that network? (I.E. a Cafe’s IP address, or mail/web 
server for an organization) 

Do an Email Address 

query on the IP address 



Email Username: 



©Domain: 



Subject: 



IP Address: 







From v 





Do a User Activity query 
on the IP address 



! = f h rr: h Fnr 
Seaim Value 
Pealn 
Attribute T/d e 
Attr tute Value 
Activity 
seme 

IP Address: 
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Email Address query looks for the @ symbol in 
traff i c 



User Activity search allows you to query on 
more than just an email address 
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